lot 



lot 



110, 




. ip 

HEADER 



TCP 
HEADER 



DATA 



VER. 



IHL 




TYPE OF SERVICE 



TIME TO LIVE 



IDENTIFIER (1$ 

-v 



PROTOCOL 



%1 ? TOTAL LENGTH 



FLAGS 



FRAGMENT OFFSET 



HEADER CHECKSUM 



SOURCE ADDRESS 



ay- 




I0l~ 


HEADER 


TCP 
HEADER 


DATA 








105 







130' 



SOURCE PORT 



DESTINATION PORT 



SEQUENCE NUMBER 



DATA 
OFFSET 



ACKNOWLEDGMENT NUMBER 



RESERVED 



FLAGS 



CHECKSUM 



J3$ 



WINDOW 



URGENT POINTER 



OPTIONS 



PADDING 



m 



FIGURE 1 

(pace Ac4-) 




FIGURE 2 




START 



EXTRACT SA AND ID 
FROM THE IP HEADER 



PERFORM TCP 
CLASSIFICATION 



2>2<f 



STORE ACTIONS' 
USING (SA.ID) AS A KEY 



f 



LOOK UP 
KEY (SAJD) FOR 
BUFFERED FRAGMENTS 



NO-^ 



PERFORM NORMAL . 
PACKET PROCESSING 




4 



LOOKUP KEY (SAJD) 
TO OBTAIN ACTION 



APPLY ACTION 
AND RELEASE 
FRAGMENT 



YES 




300 



'10% 




BUFFER PACKET 
WITH KEY (SAANDID) 




32.0 



NO-*- 



APPLY ACTION TO 
FRAGMENT 



YES 



c 



END 



F1GURE3 

£pner Ar+) 



IP SOURCE ADDRESS (SA) 



IP DESTINATION ADDRESS 



PROTOCOL 



TCP SOURCE PORT (cff) 



TCP DESTINATION PORT C&P), 



FRAGMENTED FLAG Cf^Afr) r^&l 2- 



NOT SUBSEQUENT FLAG ^^$/(? 

Cmq safest 



-5~oG 



'5(0 



FIGURE 5 



ANY TCP RULES FLAG 



DISCARD !F FRAGMENTED FLAG 



FORWARD TO CONTROL POINT 
IF FRAGMENTED FLAG 



(,00 



-Wit 



bob 



FIGURE 6 



RULE DATA BASE FORMAT 



SA 



DA 



SP 



DP 



PROTOCOL 



FRAG 



NO SUBS 



ACTION 



?c<f *p>t y<z> y<f 



SA * SOURCE ADDRESS 
DA = DESTINATION ADDRESS 
SP = SOURCE PORT 
DP = DESTINATION PORT 
FRAG = FRAGMENTED FLAG 
NO SUBS = NOT SUBSEQUENT FLAG 



RULE 0 
RULE 1 
RULE 2 
RULE 3 
RULE 4 
RULE 5 



RULE N-1 



SA 



FIGURE 7 



RULE DATA BASE 



<ZOT> 



DA 



SP 



DP 



PROTOCOL 



FRAG 



NO SUBS 



// 



ACTION 



// 



ftp- 



s' 



J* 

// 

Z4d 



FIGURE 8 



CD CO 

go 



Network 
Processor 


MS 

* s 


CO 


c 


CSl 









of 

i| 
02 




/ooo 



CPU 

N 



APPL PRO<r 



DRVS 



OP SYS 



IQ0(o 

■loot 



ROM 



BUS 



10(0 



10(7- 



RAM 



I/O ADAPS 



FIGURE 10 






h?PM : Adf/bf) for facta? \Alkickarei 


\ Fragmented ?72- 


Not Subsequent 




' Fragmented or non-fragmented 


Don't care 






Non-fragmented only 


FALSE 


E>onV- Cace_ 




r 


Non-fragmented or first fragment 


Don't care 


TRUE 


//eg- 


f 


First or subsequent fragment 


TRUE 


Don't care 


It 10^ 


Subsequent fragment only 


TRUE 


FALSE 



FIGURE 11 



